Posts: 25

Topic: protecting configuration and log files

i found that many configuration file of iredmail applications is world-readable. The configuration files contains username and password of mysql and lapd so someone who has access to your server (it could be web hosting user or attacker who compromised some unpatched web applications) can compromise backend of iredmail (mysql or lapd).

I also found that iredapd log files are world readable. if logging level set to debug, it logs LDIF information of recipient that includes password hash of the user.

Here is a list of configuration files that need to be protected and what i did to fix it.

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.phpFix:Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).

$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

/var/www/iredadmin/settings.iniFix: Since iredadmin run inside apache, so it runs as apache user and we can't chmod it to 600. The solution i choose is using WSGI daemon mode to make iredadmin run as non-apache user and then we can chown and chmod settings.ini to 600 mode.this sort 2mins video show how to do it: http://www.youtube.com/watch?v=o285XYJTGQw

/var/www/roundcubemail-x.y.z/config/main.inc.php/var/www/roundcubemail-x.y.z/config/db.inc.phpFix: this is similar problem with iredadmin. The solution i choose is using suPHP to make roundcubemail run as non-apache user and then chown and chmod to 600 mode. this short videos show how to do it: http://www.youtube.com/watch?v=V2dq0SMAb0k

After configuration file, here is the log files that need to be protected:

/var/log/iredapd.log/var/log/iredapd-rr.log

To fix it, chmoding those files is not solving the problem. So i add one line: os.umask(077)to/opt/iredapd/src/iredapd.py and /opt/iredapd/src/iredapd-rr.py file after: "def main():" and before "# Chroot in current directory".

then i remove those log files and restart iredapd and iredapd-rr to force creation of new log file with 600 mode permission.

i know that changing source files is not recommended, but it just a quick oneliner fix.

Re: protecting configuration and log files

After configuration file, here is the log files that need to be protected:/var/log/iredapd.log/var/log/iredapd-rr.logTo fix it, chmoding those files is not solving the problem. So i add one line: os.umask(077)to/opt/iredapd/src/iredapd.py and /opt/iredapd/src/iredapd-rr.py file after: "def main():" and before "# Chroot in current directory".then i remove those log files and restart iredapd and iredapd-rr to force creation of new log file with 600 mode permission.

Re: protecting configuration and log files

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.phpFix:Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

To be clear, blowfish_secret is a RANDOM string, NOT password of MYSQL/LDAP.

Re: protecting configuration and log files

ZhangHuangbin wrote:

/var/www/phpMyAdmin-a.bc.de-all-languages/config.inc.phpFix:Actually phpmyadmin doesn't need any user/password information. But iredmail set blowfish_secret variable with password of mysql/ldap. So we don't need to chmod this file, just change blowfish_secret variable to anything, long and secret (you don't need to remember this value).$cfg['blowfish_secret'] = "anyveryveryveryloooongtopsecrettext";

To be clear, blowfish_secret is a RANDOM string, NOT password of MYSQL/LDAP.

Re: protecting configuration and log files

This is the only one difference, you can verify it with the kickstart file in iRedOS (/iredmail.cfg). And i believe it exists in iRedOS-0.6.0 only.

Zhang, I am sure there is no need to be different for iRedOS-0.6.0. on the way RANDOM_STRING generated.

I just tested it and confirm that using /dev/urandom works perfectly on iRedOS-0.6.0. I modify iRedOS-0.6.0 ISO file, and change only conf/global file to use /dev/urandom for RANDOM_STRING variable. Then i fire up my vmware, and it installed perfectly. On that test box, i got nicer and unique password such as "Vd96oenWnuGUiVfFt8X1fayQIGcv1b" compare to identics and numeric only of original iRedOS-0.6.0.